Health execs’ wish list for 2017: security, analytics, pop health…and telehealth (US)

click to enlargeHealthcare IT News published the results of their October survey of 95 healthcare executives as to their forward plans (resolutions?) for 2017. It’s unsurprisingly centered on upgrades to the following areas:

  • Data security (52 percent)–definitely making up for lost time and spending due to the obvious threats from hacking and data breaches. In November alone, nearly two incidents a day (57) and over 458,000 records were reported by healthcare entities to HHS. (Protenus Breach Barometer)
  • Data analytics (51 percent)–figuring out what to do with all that patient data generated by….
  • Patient engagement and population health (44 percent each)–demanded by quality standards in CMS’ MACRA Quality Payment Program (QPP), including the Merit-Based Incentive Payment System (MIPS) and the Advanced Alternative Payment Models (APMs)
click to enlargeThe surprises come here–the technologies they expect to introduce or investigate. Analytics and workflow correspond to the last two points above, but what is compelling is an apparent tipping point for technology which links the patient to care monitoring and access: telehealth (44 percent), smart medical devices (41 percent) and remote patient monitoring (34 percent). These overlap (as in telehealth and RPM require smart medical devices), yet these are strong numbers if they accurately reflect these execs’ actual (or eventual) spending. (Does it point to more clinically validated use of trackers like Fitbit? The Magic 8 Ball does not tell here….)

The presence of 2016-17’s ‘It Girl’, precision medicine (21 percent), which applies both data analytics and genomics to improve patient outcomes, isn’t surprising with the emphasis on quality care.

One can quibble that the sample size is small N, and the report doesn’t confirm the selection details like title, location, and type of organization, but the direction has to be cheering on many fronts. HITN’s overview, survey results (16 slides)

VA’s moves spell the end of the homegrown EHR

The Veterans Health Administration (VHA) is formally reaching out to the private sector to explore switching from its current, pioneering EHR system, VistA (also referred to as CPRS, Computerized Patient Record System) to a commercial system. Their ‘feeler’ is an August 5 and 8 notice in FedBizOpps.gov titled 99–TAC-16-37877 * RFI – VHA supporting COTS EHR REQUEST FOR INFORMATION (RFI), Solicitation Number: VA11816N1486. This requests information on business support for transitioning to a commercial-off-the-shelf system (COTS–don’t governments love acronyms?–Ed.) and closes 26 August, which is not a lot of time even for an RFI.

VHA has been under extreme pressure from Congress to modernize its EHR, lately in July hearings before the Senate Appropriations Committee. EHR replacement is also in line with the Congressionally-mandated, now concluded Commission on Care’s recently published recommendations on a total, top-down reorganization of VHA, including a sweeping reorg of their HIT management. The VHA strategy appears to be that while they are walking down the road to replace VistA and have already spent to assess where they are with KLAS and other EHR consultancies (spending $160,000+ on surveys), they are essentially ‘kicking the can down the road’ to the next administration (POLITICO’s Morning eHealth, 14 July).

Current state is to continue to upgrade VistA through late 2018, though the closely related Department of Defense’s Military Health System is in the long process of cutting its homegrown AHLTA over to Cerner-Leidos as MHS Genesis, awarded last August, with a first trial in the Pacific Northwest later this year (HealthcareITNews, Ed. emphasis). Of course, it will take the VHA years to roll it out; there are close to 9 million veterans enrolled in the closed system that is the VHA.  FCW, Morning eHealth 10 August

Love EHRs or hate them, the sheer size of the VHA and its growing concession that VistA won’t do in caring for American veterans makes it clear that the future of EHRs is in private systems from major developers–a field which is winnowing out to The Few (take that, GE).  (more…)

IoT and the inevitable, looming Big Data Breach

click to enlargeThe Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)

‘Protecting Patient Information’–a ‘worst case scenario’ book for HIT

A much-needed book in the age of Hacker/RansomwareMania. A new book published, ‘Protecting Patient Information’ by Paul Cerrato, is subtitled ‘A Decision-Maker’s Guide to Risk, Prevention, and Damage Control.” It’s not a tome at 162 pages, since it’s written not for academics or IT Gearheads, but for physicians (including doctors running small practices), nurses, healthcare executives and business associates. It takes a practical, three-part approach to IT security in healthcare organizations which can be applied internationally:

  1. How to do an in-depth analysis of the organization’s risk level
  2. How to lower the risk of a data breach within the myriad of Federal and state rules regarding protected PHI
  3. How to deal with a data breach, even if you’ve followed 1) and 2) (This may be the ‘worst case scenario’ part of the book)

The preface to the book is written by John Halamka, MD, himself a CIO of Beth Israel Deaconess Medical Center in Boston and a professor at Harvard Medical School. It will set you back about $42, but worth it. Hat tip to our friends at HITECH Answers via Twitter. If you’ve read the book or will read it soon, this Editor and your fellow Readers would be interested in your thoughts or even a review.

The security risks, and the promise of, the Internet of Things

Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.

As Mr Hope put it as the fifth and final prediction in his recent article:

The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.

This Editor continues to be concerned about how hackers can get into devices, (more…)

Health tech innovations are doing little for baby boomers

click to enlargeWonder why the duck is upside down and sinking? Maybe it’s looking for all that transformative tech! Versus The King’s Fund sunny article above is Laurie Orlov in Boomer Health Tech Watch. Her POV is that as of right now, health tech innovations are not moving the needle for obese (39 percent) and chronically diseased US baby boomers. They aren’t downloading health apps and wearing wearables. Workplace wellness programs? Au contraire, they make us feel less well (Harvard Business Review) and anxious that we’re getting spied on by the company. Maybe we realize that All That Data isn’t secure (healthcare being a Hacker’s Holiday Camp), so we’re not playing the game. And the cost of care that the ACA was supposed to level off? Not if you’re a self-insured Boomer struggling to pay an ever-higher monthly premium, or even in a corporate high-deductible plan, paying increased deductibles, restricted networks, ever-higher treatment costs and fighting your insurer at nearly every turn. Add to that safety risks of procedures, mistakes compounded by EHRs [Dr Robert Wachter, TTA 16 April]  and (not mentioned) hospital-acquired infections. No wonder investment has cooled. Health and tech innovations do little for baby boomers

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

IoT’s biggest problem? Communication of Things.

click to enlargeThe Gimlet Eye joins us for a ‘blink’ from an undisclosed, low-tech dot on the map. The fave rave of 2015 is IoT, the annoying shorthand for Internet of Things. Well, can Aunt Madge go into a store and buy an Internet Thingy? But it seems fundamental that The Things Speak with each other, if only to compare football scores and conspire against their owner to drive him or her Stark Raving Mad by producing too many ice cubes in the fridge, turning lights on/off at the wrong times or sending out for a deli order of 20 pounds of Black Forest sliced ham. Our fear about The Things was in considering that they could be hacked in doing Things Against Their Will and Not In The Owner’s Manual. But never mind, it’s not this we should be concerned about, or whether Uncle Aloysius will go off-roading in his Google Galaxie after it’s hacked for fun by an eight-year-old Black Hat. It’s that practically all of these same or different brand TVs, parking meters, cars and health/activity monitoring devices to make life simple for Auntie and Oncle are built on different platforms without a communication protocol. The Eye is now relieved of the fear that IoT devices will be crawling out of the water onto her faraway from dull care beach anytime soon. But you may not be. The Biggest Problem with the Internet of Things? Hint: It’s Not Security (Tech.co) Hat tip to follower @ersiemens via Twitter

Is IoT really necessary–and dangerous?

click to enlarge With the news full of health data security breaches, your Editors have also worried about medical device hacks that could threaten life. Back in May 2014, we noted Essentia Health‘s info security head deliberately hacking their own devices to find the security holes (which he drove a truck through), the concern on Dick Cheney’s defibrillator as far back as 2007 and other devices being agents of murder (postulated by the late Barnaby Jack). Multiple computer assists and internet connectivity are everywhere now–in our cars, home security, smart appliances and more. Except that they are all highly vulnerable to hacking. (Imagine your air conditioning being shut down by a hacker on a 95 degree day).

The Hacker News (a first mention) named the top international ‘smart cities’ most suspect to a chaos-making cyber attack, in rank order:  Santander, Spain (!); New York City; Aguas De Sao Pedro, Brazil (?); Songdo, ROK; Tokyo; Hong Kong and Arlington county, Virginia (adjacent to Washington DC), noting security systems, transit, (more…)

mHealth Summit now HIMSS Connected Health Conference

Another sign that mHealth is now in our rear view mirrors [TTA 24 July] is that one of the main conferences on the US and international conference calendar is changing its name. Since 2009, the mHealth Summit has closed the year. Its organizing groups have changed and it’s gone international to Europe (the recent summit in Riga). Now it has been renamed (though not on the website yet) the HIMSS Connected Health Conference-an umbrella event comprising the mHealth Summit (including the Global mHealth Forum), and two new conferences:  the Cyber Security Summit and Population Health Summit.

The shift in the industry and new concerns are clearly reflected in this reorganization. Transitions were visible last year to this Editor in covering the sessions, speaking with exhibitors and attendees. It’s not about the tech anymore, but how it fits into care models, saves money/avoids costs, improves care, improves the experience–all population health metrics–and fits with other technology and analytics. (It’s also how it fits into government payment models, an endlessly changing equation.) What is surprising is the lifting of cybersecurity to equal status, given the Hackers’ Holiday that healthcare is now (see TTA here). (Also this Editor notes that last year’s Big Buzzwords, Big Data and Analytics, has faded into where it should be–into facilitating population health and we should expect, inform data security. We also note that HIMSS has stepped forward as the organizer. HIMSS release  Telehealth & Telecare Aware has been a media partner of the mHealth Summit for most years since 2009. 

The leaky roof of healthcare data (in)security–DARPA to the rescue?

This week’s priceless quote:

“A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”–Jim Nelms, Mayo Clinic’s first chief information security officer, 

We know where you are and what you do! The precarious state of healthcare data security at facilities and with insurers, plus increased external threats from hacking has been getting noticed by Congress–when you see it in POLITICO, you know finally it’s made it into the Rotunda. It was over the horizon late last summer with the FBI alert and legislators in high dudgeon over the Community Health Systems China hack [TTA 22 Aug 14]. It’s a roof that leaks, that costs a lot to fix, doesn’t have immediate benefit (cost avoidance never does) but when it does leak it’s disastrous.

This article rounds up much of what these pages have pointed out for several years, including the Ponemon Institute/IBM study from earlier this week, the Chinese/Russian connections behind Big Hacks not only for selling data, but also IP [TTA 26 Aug 14] and how decidedly easy it is to hack devices and equipment [TTA 10 May 14]. Acknowledgement that healthcare data security is about 20 years behind finance and defense deserves a ‘hooray!’, but when you realize that on average only 3 percent of HIT spend is on security when it should be a minimum of 10 percent (HIMSS) or higher…yet the choice may be better security or uncompensated patient care particularly in rural areas, what will it be for many healthcare organizations?

The article also doesn’t go far enough in the devil’s dilemma–that the Federal Government with Medicare, HITECH, meaningful use, rural telehealth and programs like Medicare Shared Savings demand more and more data tracking, sharing and response mechanisms, stretching HIT 15 ways from sundown. At the cutely named Health Datapalooza presently going on in Washington DC, data sharing is It for Quality Care, or else. Yet the costs to smaller healthcare providers to prevent that ER readmission scenario through new care models such as PCMHs and ACOs is stunning. And the consequences may be more consolidated, less available healthcare. We are already seeing merger rumors in the insurer area and scaledowns/shutdowns/buyouts of community health organizations including smaller hospitals and clinics. Also iHealthBeat.

DARPA to the rescue? The folks who brought you the Internet may develop a solution, but it won’t be tomorrow or even the day after. The Brandeis Program is a several stage project over 4.5 years to determine how “to enable information systems that would allow individuals, enterprises and U.S. government agencies to keep personal and/or proprietary information private.” It discards the current methodology of filtering data (de-identification) or trusting third-parties to secure. Armed With Science  FedBizOpps has the broad agency announcement in addition to vendor solicitation information.

58 percent of health data breaches due to simple theft, not hacking: JAMA

click to enlarge Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure? According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.

HIMSS Monday highlights

HIMSS is the largest US healthcare conference in the world, and Neil Versel, who has just joined the staff of MedCityNews, reported that registrations in this year’s event in Chicago were in excess of 40,000. He has a 37 minute interview with HIMSS Executive Vice President Carla Smith where they touch on CMS, Meaningful Use, EHR interoperability, data security, patient engagement and the empowered patient such as E-Patient Dave deBronkart (who will also be at The King’s Fund Digital Health conference in June). HIMSS is also showcasing on the show floor mobile health, interoperability, cybersecurity, disaster preparedness, intelligent health and the connected patient….Another sign that the Wild West days of digital health are over is the increasing oversight of the Federal Trade Commission (FTC) on non-HIPAA regulated health data collected by fitness and wellness devices. This is in addition to health apps making unsupported claims (see today’s and previous articles on melanoma detection apps) and the PaymentsMD patient billing software that was collecting a little extra patient data. This is both extra- and in addition to FDA. Mobihealthnews….. The Venture+Forum on Sunday discussed doctor burnout particularly in acute care and to ease this, focusing on the Holy Grail of proactive rather than reactive care and results rather than ‘shiny new objects’ (what this Editor has called Whiz-Bang Tech) “Doctors want clinical decision execution. Don’t give me any more tools.” Healthcare IT News….A survey by Accenture released today on doctors and EHR usage headlines good news–79 percent US doctors feel more proficient in their EHR usage than in their 2012 survey. The bad news is that other numbers are plummeting: fewer believe that EMR has improved treatment decisions (46 percent in 2015 vs. 62 percent in 2012), reduced medical errors (64 vs. 72 percent) and improved health outcomes for patients (46 vs. 58 percent). Familiarity breeds contempt? Buried way down in the release is that US physicians offering telehealth monitoring to patients has tripled since the last survey, from just 8 percent in 2012 to 24 percent now. Accenture surveyed over 2,600 physicians in six countries….HIMSS goes to Thursday, so more to come!

“Data moves at the speed of trust”–RWJF report

The report issued today by the influential Robert Wood Johnson Foundation (RWJF), ‘Data for Health: Learning What Works’ advocates a fresh approach to health data through greater education on the value/importance of sharing PHI, improved security and privacy safeguards and investing in community data infrastructure. If the above quote and the first two items sound contradictory, perhaps they are, but current ‘strict’ privacy regulations (that’s you, HIPAA), data siloing and the current state of the art in security aren’t stemming Hackermania (or sheer bad data hygiene and security procedures). Based on three key themes, the RWJF is recommending a suite of actions (see below) to build what they term a ‘Culture of Health. All of which, from the 10,000 foot view, seem achievable. The need–and importantly, the perception of need–to integrate the rising quantity of data from all these devices, pry it out of its silos (elaborated upon earlier this week in ‘Set that disease data free!), analyze it and make it meaningful plus shareable to people and their doctors/clinicians keeps building. (‘Meaningful’ here is not to be confused with the HITECH Act’s Meaningful Use.)

But who will take the lead? Who will do the work? Will the HIT structure, infrastructure and very importantly, the legal framework follow? We wonder if there is enough demand and bandwidth in the current challenged system. Release. RWJF ‘Data for Health’ page with links to study PDF, executive summary which adds details to the recommendations below, more.click to enlarge

Data breaches top 120 million since 2009 (US)

click to enlarge“The medical industry is years and years behind other industries when it comes to security.”–Dave Kennedy, TrustedSEC CEO.

We admire the Washington Post for arriving at the conclusion we did in 2010–that healthcare organizations are uniquely vulnerable to cyberattack because of the high value of patient data, and an often lighter level of HIT security. But now we get the finger wag that ‘it’s only going to get worse.’ (Beyond 120 million breached records?) Data security, of which HIPAA patient information protection is a part, wasn’t primary for years, especially in organizations overwhelmed with transitioning EHRs, getting EMRs to speak with EHRs, Meaningful Use, new care and payment models, 30-day readmissions and ‘oh, by the way, how will we get paid?’ The Premera Blue Cross (Washington state) breach of 11 million records was the second largest in healthcare history (after Anthem Health‘s February bunker buster of a breach). Most breaches are from stolen laptops or shared/easy to guess passwords (or none at all)–but these have not been in the millions. Premera’s theft took place on 5 May 2014 and was only discovered in January; it included SSIs, bank information, claims data, patient name/address and date of birth. Those affected were in California and Alaska primarily, but also included Federal employees.

But Premera can’t say they were not warned. The US Office of Personnel Management’s Office of the Inspector General (OPM OIG) independently audited Premera in April 2014 detailing several vulnerabilities, including a lack of timely patch implementations, a lack of methodology to “ensure that unsupported or out-of-date software is not utilized” and insecure server configurations, and the need to upgrade physical access controls in their data center. FierceHealthIT

Premera’s medical files data may expose other payers, which in turn may legally come after Premera, according to FierceHealthIT.

Only now are health systems and practices focusing on securing all information  (more…)